> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any 
> Allow-IPASudoRules ?
>   
So it looks like current schema would not fly well with SUDO due to SUDO
bug/feature. SUDO will match just any first rule that satisfies the
user-hpost-command combination but we can't guarantee that rules come in
the same order. So there is a possibility that allow rule will come
before deny rule in our case and will be matched.
It is unfortunate and should be fixed by SUDO. In a meantime we need to
alter the schema to be able to express allowed and not allowed commands
in one rule.
It will be up to the admin to know the limitations of SUDO based on the
documentation we provide and construct the rules in a non contradicting
way. We might be able to add some nice checks in future.

So here is current schema:

objectClasses: (2.16.840.1.113730.3.8.8.TBD 
                NAME 'ipaSudoRule' 
                SUP ipaAssociation 
                STRUCTURAL 
                MUST accessRuleType
                MAY ( externalUser $ 
                      externalHost $ hostMask $ 
                      memberCmd $ cmdCategory $
                      ipaSudoOpt $
                      ipaSudoRunAs $ ipaSudoRunAsExtUser $ 
ipaSudoRunAsUserCategory $
                      ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ 
ipaSudoRunAsGroupCategory ) 
                X-ORIGIN 'IPA v2' )


We will :
* Remove accessRuleType
* Add memberNotCmd same a memberCmd

attributeTypes: (2.16.840.1.113730.3.8.7.TBD 
                 NAME 'memberNotCmd' 
                 DESC 'Reference to a command or group of the commands that is 
not allowed.' 
                 SUP distinguishedName 
                 EQUALITY distinguishedNameMatch 
                 ORDERING distinguishedNameMatch 
                 SUBSTR distinguishedNameMatch 
                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
                 X-ORIGIN 'IPA v2' )


The logic then will be:
* If no memberCmd, memberNotCmd or cmdCategory attribute is specified -
no command is allowed
* If cmdCategory is specified (only value is "all") all other attributes
are ignored and all commands are allowed
* If cmdCategory is not specified
     * If memberCmd is specified it defines commands or groups of the
commands that are allowed
     * If memberNotCmd is specified it defines commands or groups of the
commands that are not allowed
     Both attributes are allowed at the same time defining allowed and
not allowed commands within the same rule.

This does not solve the problem fully but at least gets us into the same
boat as current SUDO schema.

Comments welcome!
If there are no objections by end of Friday I will craft a patch over
the weekend.

Thanks
Dmitri


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to